Section 25: Networking - VPC Flashcards
What is CIDR - IPv4?
- CIDR = Classless Inter-Domain Routing, a method for allocating IP addresses
Subnet Mask
- XX.XX.XX.XX -> Is the Base IP
- the value after the “/” is the subnet
- 32/ = No IP can change
- 24/ = The last IP can change
- 16/ = The last 2 IP’s can change
- 8/ = The last 3 IP’s can change
- 0/ = All the IP’s can change
What is Internet Gateway?(IGW)
- Allows resources in a VPC to connect to the internet.
- Must be created separately from a VPC
- One VPC can only be attached to one IGW and vice versa
- Internet Gateway on their own do not allow Internet access
- Route tables must also be edited.
What is Bastion Hosts?
- We use a Bastion Host to SSH into our private EC2 instances
Example
- When your EC2 instance is in a Private Subnet and you want to ssh to
it, you connect to a Bastion host in the Public Subnet and then connect
to the EC2 in the Private Subnet.
What is a NAT Intsance?
P294
- NAT = Network Address Translation
- Allows EC2 instances in private subnet to connect to the internet
- Must be launches in a public subnet
- Must have Elastic IP attached to it
- Route Tables must be configured to route traffic from private to the NAT instance
What is NAT Gateway?
- AWS managed NAT, higher bandwidth,high availability, no administration
- NATGW is created in a specific Availability Zone, uses an Elastic IP
- Required an IGW (Private Subnet => NATGW=>IGW)
What is NACL(Network Access Control List)
- NACL are like a firewall which control traffic from and to subnet
- One NACL per subnet, new subnet are siggned the DEFAULT NACL
- You define NACL Rules:
- Rules have number(1-32766)
- First rule match will drive the decision - Newly created NACL will deny everything
- NACL are great way of blocking specific IP address at the subnet level
- The Default NACL accepts everything inbound/outbound with the subnet its associated with
- NACL is stateless
What is VPC Reachability Analyzer?
- A network diagnostic tool that troubleshoots network connectivity between two endpoints in your VPC
- It used the network configuration to determine if two endpoints are reachable.
What is VPC Peering
- Privately connect two VPCs using AWS network.
- Make them behave as if they were in the same network.
- You must update route tables in each VPC’s subnets to ensure EC2 instances can communicate with each other.
What is VPC Endpoints (AWS PrivateLink)
P306
- VPC Endpoint allows you to connect to AWS services using a private network instead of using the public Internet. Because AWS is exposed to the public, it allows you to connect privately.
What 2 VPC Endpoints do you get?
1) Interface Endpoints
- Provisions an ENI(private IP address) as an entry point
- Supports most AWS services.
2) Gateway Endpoints
- Provisions a gateway and must be used as a target in a route table
- Supports both S3 and DynamoDB
What is VPC Flow Logs?
- Capture information abut IP traffic going into your interfaces:
> VCP flow logs
> Subnet Flow Logs
> Elastic Network Interface Flow Logs - Helps to minitor & troubleshoot connectivity issues
How to create a VPN connection between your VPC on AWS and on-premis site?
1) Virtual Private Gateway (VGW)
- VPN connector on AWS side.
2) Customer Gateway (CGW)
- Software application or physical device on customer/on-premise side of the VPN connection.
Important steps:
- Make sure to enable Route Propagation for the Virtual Private Gateway.
- If you need to ping your EC2 instances from on-premises, make sure you add the ICMP protocol on the inbound of your security groups.
What is AWS VPN CloudHub?
- Provide secure communication between multiple sites, if you have multiple VPN connections.
What is Direct Connect (DX)
p332
- Provided a dedicated private connection from a remote network to your VPC.
- Dedicated connection must be setup between your DC AWS Direct Connect locations
- You need to setup a Virtual Private Gateway on your VPC